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Foreword 


Most  people  today  live  their  lives  on  smartphones,  and,  in  this  regard  at  least,  criminals  are  no 
different.  While  in  the  past  criminals  may  have  kept  evidence  of  their  crimes  in  file  cabinets,  closets, 
and  safes,  today  that  evidence  is  more  often  found  on  smartphones.  Photos  and  videos  of  child  sexual 
assault;  text  messages  between  sex  traffickers  and  their  customers;  even  a  video  of  a  murder  victim 
being  shot  to  death  -  these  are  just  a  few  of  the  pieces  of  evidence  found  on  smartphones  and  used 
to  prosecute  people  committing  horrific  crimes. 

Last  fall,  a  decision  by  a  single  company  changed  the  way  those  of  us  in  law  enforcement  work  to  keep 
the  public  safe  and  bring  justice  to  victims  and  their  families.  In  September  2014,  Apple  Inc. 
announced  that  its  new  operating  system  for  smartphones  and  tablets  would  employ,  by  default,  what 
is  commonly  referred  to  as  “full-disk  encryption,”  making  data  on  its  devices  completely  inaccessible 
without  a  passcode.  Shortly  thereafter,  Google  Inc.  announced  that  it  would  do  the  same. 

Apple’s  and  Google’s  decisions  to  enable  full-disk  encryption  by  default  on  smartphones  means  that 
law  enforcement  officials  can  no  longer  access  evidence  of  crimes  stored  on  smartphones,  even  though 
the  officials  have  a  search  warrant  issued  by  a  neutral  judge. 

Apple  and  Google  are  not  responsible  for  keeping  the  public  safe.  That  is  the  job  of  law  enforcement. 
But  the  consequences  of  these  companies’  actions  on  the  public  safety  are  severe.  That  is  why  my 
Office  has  been  working  with  our  law  enforcement  partners  around  the  world  to  craft  the  solution 
recommended  in  this  Report.  We  believe  there  is  a  responsible  way  to  balance  safety  and  security. 

This  Report  is  intended  to: 

1)  Summarize  the  smartphone  encryption  debate  for  those  unfamiliar  with  the  issue; 

2)  Explain  the  importance  of  evidence  stored  on  smartphones  to  public  safety; 

3)  Dispel  certain  misconceptions  that  many  privacy  advocates  hold  about  law 
enforcement’s  position  related  to  encryption,  including  the  myth  that  we  support  a 
“backdoor”  or  government-held  “key;” 

4)  Encourage  an  open  discussion  with  technology  companies,  privacy  advocates,  and 
lawmakers;  and 

5)  Propose  a  solution  that  protects  privacy  and  safety. 
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Executive  Summary 


Parts  I  and  II  of  this  Report  summarize  the  issue  at  hand  and  the  relevant  technology. 

Part  III  explains  how  traditional  means  of  investigation  cannot  be  used  to  unlock  a  device  using  an 
operating  system  mnning  full-disk  encryption.  In  this  paper,  the  term  “full-disk  encryption”  means 
the  encryption  of  data  at  rest  on  personal  devices  in  such  a  manner  that  the  passcode  is  required  to 
decrypt  the  data.  This  use  of  the  term  is  different  from  the  technical  definition,  which  involves 
encrypting  all  data  on  a  device  using  the  same  key.  The  definition  that  we  use  is  more  colloquial.  As 
used  in  this  paper,  a  device  running  full-disk  encryption  is  one  that  is  effectively  impregnable  so  that 
law  enforcement  cannot  access  any  of  the  information  on  the  device.  Full-disk  encryption  has  been  a 
significant  hindrance  to  the  investigation  and  prosecution  of  criminals  because  certain  types  of 
evidence  exist  only  on  smartphones.  While  many  privacy  advocates  point  to  the  cloud  as  an  alternative 
source  of  data  for  law  enforcement,  this  Report  explains  why  the  cloud  is  not  a  sufficient  alternative. 

Part  IV  provides  case  examples  to  show  the  cost  to  public  safety  when  operating  system  designers 
use  full-disk  encryption  to  render  their  devices  immune  from  search  warrants.  Our  discussion  of 
smartphone  encryption  is  not  an  academic  exercise.  Every  day,  we  face  real  cases  with  real  victims 
who  suffer  from  the  actions  of  criminals.  We  are  obligated  to  do  everything  we  can  to  bring  these 
criminals  to  justice.  But  smartphone  encryption  has  caused  real  -  not  hypothetical  -  roadblocks  to 
our  ability  to  solve  and  prosecute  crimes. 

PartV  sets  forth  a  proposed  solution:  Congress  should  enact  a  statute  that  requires  any  designer  of 
an  operating  system  for  a  smartphone  or  tablet  manufactured,  leased,  or  sold  in  the  U.S.  to  ensure 
that  data  on  its  devices  is  accessible  pursuant  to  a  search  warrant.  Such  a  law  would  be  well  within 
Congress’s  Commerce  Clause  powers,  and  does  not  require  costly  or  difficult  technological 
innovations. 

Part  VI  considers  some  of  the  principal  objections  that  have  been  made  to  our  proposed  solution: 

•  Our  proposal  and  discussions  on  encryption  are  limited  only  to  data  at  rest  on  smartphones 
and  tablets,  and  not  to  data  in  transit.  Data  at  rest  is  information  that  is  stored  on  various 
sources  after  the  data-creating  event  has  occurred.  Data  in  transit  is  live  information  that  is  in 
the  process  of  being  transferred  from  one  source  to  another,  or  in  other  words,  travelling 
across  a  network. 

Many  of  the  reports  written  about  encryption  and  cyber-privacy  focus  on  law  enforcement’s 
ability  to  access  data  in  transit  and  the  security  improvements  gained  through  encrypting  live 
data  transfers  or  communications.  This  Report  takes  no  position  on  issues  relating  to  the 
encryption  of  data  in  transit. 

•  The  harm  to  personal  security  and  privacy  if  the  proposal  were  to  be  implemented  would  be 
minimal. 

o  Previous  Apple  and  Google  operating  systems  allowed  law  enforcement  to  access  data  on 
devices  pursuant  to  search  warrants.  There  is  no  evidence  of  which  we  are  aware  that  any 


security  breaches  have  occurred  relating  to  those  operating  systems.  Apple  and  Google 
have  never  explained  why  the  prior  systems  lacked  security  or  were  vulnerable  to  hackers, 
and  thus,  needed  to  be  changed.  Those  systems  appeared  to  very  well  balance  privacy  and 
security  while  still  being  accessible  to  law  enforcement  through  a  search  warrant, 
o  Technologists  and  forensics  experts  have  indicated  that  if  a  hacker  were  able  to  learn 
Apple’s  decryption  process  -  which  Apple  guards  extremely  closely  -  that  hacker  would 
also  need  the  actual  device  to  steal  data  from  that  device.  Likewise,  a  thief  who  steals  a 
person’s  locked  smartphone  would  also  need  to  know  either  the  victim’s  passcode  or 
Apple’s  highly  guarded  decryption  process  to  obtain  the  device’s  data, 
o  Apple’s  and  Google’s  new  device  encryption  schemes  do  nothing  to  protect  users  from 
large-scale  institutional  data  breaches  or  spyware. 

•  While  some  have  analogized  any  proposed  legislation  with  the  federal  government’s  failed 
efforts  to  impose  the  “Clipper  Chip”  on  all  phones,  this  Report  does  not  propose  using  any 
technology  similar  to  the  Clipper  Chip.  This  Report  does  not  propose  any  new  technology, 
nor  does  it  propose  that  governments  hold  a  key  to  any  smartphones. 

•  The  proposal  is  similar  to  efforts  being  discussed  in  other  countries  that,  like  ours,  value  both 
personal  privacy  and  the  mle  of  law. 

•  The  proposal  would  not  violate  international  human  rights  law  or  harm  human  rights  activists. 
Rather,  it  would  comport  with  the  United  Nations  Human  Rights  Council’s  standard  in 
determining  when  a  government  can  restrict  encryption. 

•  Technology  companies  and  privacy  advocates  argue  that  if  they  give  the  U.S.  government 
access  to  smartphone  data  pursuant  to  search  warrants,  then  they  must  give  the  same  data  to 
all  governments,  including  repressive  regimes.  This  argument  ignores  the  fact  that  local  law 
enforcement  in  the  U.S.  seeks  access  to  information  only  through  a  lawful  judicial  process.  If 
a  foreign  nation’s  government,  repressive  or  not,  wanted  information  from  an  American 
company,  it  also  would  have  to  go  through  lawful  processes  in  the  U.S. 

Part  VII  lists  questions  —  the  answers  to  which  are  known  only  to  Apple  and  Google  —  that  must  be 
answered  to  advance  the  debate.  The  Manhattan  District  Attorney’s  Office  sent  questions  to  Apple 
and  Google,  but  at  the  time  of  this  Report’s  publication,  has  yet  to  receive  a  response.  Informed 
cooperation  or  legislation  requires  debate  and  open  discussion. 

In  Part  VIII.  the  Report  concludes  that  while  generally,  data  encryption  offers  significant  benefits  to 
the  public,  the  harm  that  full-disk  encryption  on  smartphones  imposes  on  crime  victims  and  public 
safety  requires  that  it  be  regulated. 
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I. 


The  Problem 


In  September  2014,  Apple  Inc.  announced  that  its  new  operating  system,  iOS  8,  would  be  designed 
such  that  when  a  phone  or  other  device  running  iOS  8  locks,  no  one  but  the  user,  or  another  person 
with  the  device’s  passcode,  could  open  it.  Its  subsequent  operating  system,  iOS  9,  released  in 
September  2015,  shares  this  feature.1  When  iOS  8  was  released,  Apple  advertised  that  users’  devices,2 
once  locked,  would  be  impervious  to  attempts  by  law  enforcement  to  review  the  contents  of  the 
phones,  even  when  law  enforcement  had  obtained  search  warrants.’  Shortly  after  Apple’s 
announcement,  Google  Inc.  announced  a  similar  plan:  Its  operating  system,  too,  would  be  constmcted 
to  be  impervious  to  all  decryption  efforts,  including  legally-authorized  efforts  of  state  and  federal 
governments.4 

Even  before  Apple’s  and  Google’s  announcements,  many  devices  had  given  users  the  option  of 
enabling  such  powerful  encryption.  The  significance  of  the  companies’  change  in  practice  was  that 
this  type  of  encryption  would  be  the  default  setting  on  their  new  devices.  Apple’s  and  Google’s 
announcements  led  to  an  immediate  response  by  law  enforcement  officials,  who  pointed  out  that 
allowing  a  phone  to  be  locked  such  that  it  would  be  beyond  the  reach  of  lawful  searches  and  seizures 
was  unprecedented,  and  posed  a  threat  to  law  enforcement  efforts  -  in  effect,  a  boon  to  dangerous 
criminals.3  The  issues  have  been  widely  debated,  especially  on  the  internet6  and  the  editorial  pages,7 
and  they  have  been  the  subject  of  congressional  testimony.8 

The  debate  may  be  characterized  as  one  weighing  individuals’  rights  to  privacy  against  society’s  interest 
in  providing  governments  with  the  tools  that  they  require  to  maintain  safety  and  provide  security.  But 
to  characterize  the  debate  is  merely  the  first  step  towards  resolving  it:  Privacy  and  safety  may  conflict 
in  some  instances  -  that  is  nothing  new.  The  questions  are,  and  have  always  been,  where  to  draw  the 
line  between  them,  and  how  might  they  be  balanced  to  the  best  advantage  of  the  greatest  part  of 
society. 
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II.  Background  Of  Relevant  Technology 


Encryption  involves  converting  readable  data  (sometimes  referred  to  as  “plaintext”)  into  scrambled, 
unreadable  data  (sometimes  referred  to  as  “ciphertext”)  using  an  algorithm  that  renders  the  data 
unreadable  by  a  human  or  computer  without  the  proper  cipher  and  key  to  decrypt  it.  Data  transmitted 
between  phones,  computers,  and  other  digital  devices  can  be  encrypted  (i)  while  in  transit  between 
those  devices  and  (ii)  on  the  devices  themselves. 

“Data  at  rest”  is  information  that  is  stored  on  devices  after  the  data-creating  event  has  occurred.  Data 
at  rest  could  include,  for  example,  a  text  message  that  has  been  received  by  a  smartphone  and  has  not 
been  deleted  from  the  device.  In  this  paper,  the  term  “full-disk  encryption”  means  the  encryption  of 
data  at  rest  on  personal  devices  in  such  a  manner  that  the  passcode  is  required  to  decrypt  the  data. 

“Data  in  transit”  refers  to  information  in  the  very  moment  that  it  is  being  transferred  from  one  source 
to  another,  for  example,  information  communicated  in  a  phone  conversation  is  data  in  transit  while  it 
is  being  transferred.  A  different  type  of  encryption  (not  full-disk  encryption),  involving  distinct 
security  concerns  and  features,  is  used  to  encrypt  data  in  transit.  This  report  relates  to  full-disk 
encryption  of  data  at  rest  on  devices  only.  It  does  not  address  the  issues  arising  from  the  encryption 
of  data  in  transit. 

A.  Apple 

Mobile  devices  manufactured  by  Apple  include  phones  (called  iPhones),  tablets  (iPads),  and  portable 
media  players  that  play  audio  and  video  files  (iPods).  The  operating  system  used  by  an  Apple  device 
is  called  iOS.  Particular  versions  of  the  operating  system  are  given  numerical  names  -  e.g.,  iOS  8.  All 
Apple  devices  and  the  associated  operating  systems  are  manufactured  and  engineered  by  Apple. 

iMessages  are  messages,  which  may  contain  text,  photos,  and  other  data,  sent  between  Apple  devices. 
iMessages  can  be  sent  over  a  Wi-Fi  or  cellular  connection,  and  are  routed  through  Apple’s  systems 
rather  than  a  phone  service  provider’s  networks.  SMS  and  MMS  messages4  can  be  used  on  Apple  and 
non-Apple  devices.  They  are  sent  over  a  cellular  connection  only  and  are  sent  through  a  phone  service 
provider’s  networks,  not  Apple’s  or  other  device  makers’  systems. 

Users  of  Apple  devices  can  protect  the  data  on  their  devices  in  two  ways.  They  can  establish 
passcodes,  and,  on  some  of  the  Apple  devices,  they  can  enable  a  feature  that  allows  the  device  to  be 
unlocked  with  the  user’s  fingerprint.  If  a  user  enters  an  incorrect  passcode  a  certain  number  of  times 
in  a  row  on  a  device,  the  data  on  the  device  may  automatically  become  permanently  inaccessible. 

Users  can  “back  up”  the  contents  of  their  Apple  devices  -  that  is,  copy  and  store  the  content  elsewhere 
such  that,  for  example,  if  one  were  to  lose  one’s  phone,  one  could  get  a  new  phone,  access  the  backup 
copy,  and  restore  it  to  the  new  phone.  Apple  devices  can  be  backed  up  to  a  computer,  an  external 
hard  drive,  or  a  cloud  service. 

“The  cloud”  refers  to  networks  of  computers  and  servers  that  are  used  to  store  data.  Many  users 
utilize  cloud  storage  to  store  photos,  videos,  documents,  and  messages.  Using  cloud  storage  keeps 
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storage  space  available  on  the  user’s  device,  and  the  items  stored  in  the  cloud  can  be  accessed  by  all 
of  a  user’s  different  devices,  as  long  as  those  devices  have  an  internet  connection. 

Apple’s  cloud  is  called  iCloud.  Users  of  Apple  devices,  Mac  computers,  and  computers  using 
particular  Windows  operating  systems  may  set  up  iCloud  accounts.  The  first  five  gigabytes  of  storage 
on  an  iCloud  account  are  free,  but  if  users  want  more  space,  they  must  buy  it.  Of  course,  no  user  of 
an  Apple  device  is  required  to  use  iCloud.  Users  may  prefer  not  to  back  up  their  devices  at  all,  or  they 
may  back  up  to  a  computer,  hard  drive,  or  non-Apple  cloud  storage.  Even  if  they  take  advantage  of 
the  five  gigabytes  of  free  storage  space  in  iCloud,  they  may  choose  not  to  purchase  any  additional 
space. 

B.  Google 

Devices  mnning  Google’s  mobile  platform  use  the  Android  operating  system.  These  devices  include 
phones,  tablets,  and  other  devices.  Each  version  of  the  Android  operating  system  has  both  a 
numerical  identifier  -  e.g.,  version  5.0.1  -  and  a  name,  which  has  historically  been  the  name  of  a  dessert 
or  candy  —  eg..  Ice  Cream  Sandwich.  Unlike  Apple  devices,  Android  devices  are  manufactured  by  a 
variety  of  different  manufacturers,  often  referred  to  as  Original  Equipment  Manufacturers  or  OEMs. 

Users  of  Android  devices  can  set  up  a  “pattern  unlock”  passcode,  which  is  a  line  connecting  at  least  4 
dots  in  a  9-dot  grid,  to  protect  the  data  on  their  devices.  Devices  with  certain  operating  systems 
(Froyo  2.2  and  later)  offer  the  ability  to  lock  the  device  using  a  numeric  or  alphanumeric  passcode. 
Some  Android  devices  have  fingerprint  readers  incorporated  into  the  hardware  of  the  device.  The 
fingerprint  reader  is  not  incorporated  into  all  Android  devices,  however,  due  to  the  variety  of  OEMs 
making  Android  devices.  As  with  Apple  devices,  if  a  user  enters  an  incorrect  passcode  a  certain 
number  of  times  in  a  row  on  a  device,  the  data  on  the  device  may  automatically  become  permanently 
inaccessible. 

Google  offers  cloud  storage  in  Google  Drive  and  other  locations.  Data  can  be  backed  up  to  Google’s 
cloud  from  an  Android  device,  an  iPhone,  an  iPad,  or  a  computer.  Users  of  Android  devices  are  not 
required  to  back  up  to  the  cloud,  or,  if  they  do,  to  use  Google’s  clouds  rather  than  some  other  entity’s 
cloud.  Users  of  Google  Drive  receive  15  gigabytes  of  free  storage  and  can  purchase  additional  storage 
space.  Many  Android  phones  have  a  minimum  of  16  gigabytes  of  storage  space,  and  some  can  hold 
up  to  128  gigabytes. 

Android  phones  do  not  back  up  to  Google  cloud  storage  by  default.  Thus,  a  user  must  affirmatively 
choose  to  back  up  to  the  cloud,  and  the  choice  is  not  a  single,  all-or-nothing  choice,  but  a  series  of 
choices,  one  for  each  type  of  data.  It  is,  therefore,  not  uncommon  for  Android  users  to  back  up  to 
Google’s  cloud  only  certain  types  of  data  from  their  smartphones,  like  photos  and  videos. 


3 


III.  The  Inadequacy  Of  Existing  Technological  And  Legal  Tools  For  Collecting  Evidence 

A.  The  Search  Warrant  And  The  Unlock  Order  -  Prosecutors’  Historically-Useful  Tools 
-  Are  No  Longer  Effective  For  Obtaining  Evidence  From  Smartphones 

When  a  prosecutor  or  investigative  agency  collects  a  passcode-protected  phone,  it  might,  if  the 
circumstances  permit,  seek  the  owner’s  permission  to  search  the  phone.  In  many  instances,  though, 
the  owner  is  a  defendant  or  suspect,  and  will  not  consent  to  a  search.  Sometimes,  the  phone  owner’s 
identity  is  unknown  (for  example,  if  a  phone  is  found  at  a  crime  scene),  so  the  owner  cannot  be  asked 
for  permission  to  search  the  device.  Even  when  the  identity  of  the  phone’s  owner  is  known,  in  some 
cases,  that  person  is  unavailable  to  consent  to  a  search  of  the  device  because,  for  example,  he  or  she 
has  been  abducted  or  killed,  as  when  the  phone  belongs  to  a  kidnapping  or  murder  victim. 

When  prosecutors  have  probable  cause  to  believe  that  a  phone  contains  evidence  of  a  crime,  they  may 
apply  to  a  court  for  a  search  warrant  authorizing  a  search  of  the  phone  for  that  evidence.1"  But  even 
when  prosecutors  obtain  a  search  warrant,  they  still  have  to  unlock  the  phone  to  be  able  to  search  it. 

1.  Attempts  To  Unlock  Apple  Devices 

For  the  iPhone  4,  earlier  versions  of  iPhones,  and  certain  other  Apple  devices,  forensic  analysts  can 
attempt  to  ascertain  the  device’s  passcode  by  using  “brute  force,”  i.e.,  by  systematically  trying 
combinations  of  passcodes  (e.g.,  “1,  1,  1,  1,”  “1,1, 1,2,”  “1,1, 1,3,”  .  .  .)  until  the  correct  one  is  found. 
The  process  may  be  time-consuming  and,  for  the  reasons  discussed  below,  can  be  used  effectively  on 
only  certain  Apple  devices. 

With  respect  to  the  iPhone  4s  and  later  models  of  iPhones  and  other  Apple  devices  running  iOS 
versions  through  iOS  7,  “brute  force”  attempts  may  result  in  the  contents  of  the  device  becoming 
permanently  inaccessible  once  the  maximum  number  of  passcode  attempts  is  reached.  For  these 
devices,  law  enforcement  requires  the  assistance  of  Apple  to  obtain  the  devices’  contents  safely.  The 
prosecutor  or  investigator  obtains  a  search  warrant  and  an  order  (often  referred  to  as  an  “unlock 
order”)  instmcting  Apple  to  assist  with  extracting  data  from  the  device.  The  prosecutor  or  investigator 
then  sends  Apple  a  copy  of  the  warrant,  the  unlock  order,  the  device,  and  a  blank  external  hard  drive. 
Apple  uses  a  proprietary  method  to  extract  data  from  the  device,  and  sends  a  copy  of  the  data  to  law 
enforcement  on  the  external  hard  drive. 

For  Apple  devices  mnning  iOS  8,  Apple  can  no  longer  comply  with  unlock  orders.  iOS  8  prevents 
Apple  from  accessing  data  on  the  device  unless  Apple  has  the  user’s  passcode.  But,  Apple  does  not 
keep  users’  passcodes.  Thus,  it  is  no  longer  possible  for  Apple  to  extract  data  as  it  did  for  devices 
running  prior  operating  systems.  According  to  Apple,  as  of  October  19,  2015,  approximately  61%  of 
all  Apple  devices  currently  in  use  mn  iOS  9,  and  approximately  30%  use  iOS  8.  Only  nine  percent 
use  an  earlier  iOS  version. 11 
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2. 


Attempts  To  Unlock  Google  Devices 


There  are  a  larger  variety  of  Android  devices  than  Apple  devices.  Forensic  examiners  are  able  to 
bypass  passcodes  on  some  of  those  devices  using  a  variety  of  forensic  techniques.  For  some  other 
types  of  Android  devices,  Google  can  reset  the  passcodes  when  served  with  a  search  warrant  and  an 
order  instmcting  them  to  assist  law  enforcement  to  extract  data  from  the  device.  This  process  can  be 
done  by  Google  remotely  and  allows  forensic  examiners  to  view  the  contents  of  a  device. 

For  Android  devices  running  operating  systems  Lollipop  5.0  and  above,  however,  Google  plans  to 
use  default  full-disk  encryption,  like  that  being  used  by  Apple,  that  will  make  it  impossible  for  Google 
to  comply  with  search  warrants  and  orders  instructing  them  to  assist  with  device  data  extraction. 

Full-disk  encryption  has  not  yet  been  implemented  as  a  default  on  all  Android  devices  mnning 
Lollipop  5.0  and  later  systems,  but  has  been  implemented  on  certain  Nexus  (Google-controlled) 
devices.  Generally,  users  have  the  option  to  enable  full-disk  encryption  on  their  current  Android 
devices,  whether  or  not  the  device  is  mnning  Lollipop  5.0,  but  doing  so  causes  certain  inconveniences, 
risks,  and  performance  issues,  which  are  likely  to  exist  until  OEMs  are  required  to  standardize  certain 
features.12  As  of  October  5,  2015,  approximately  23%  of  Android  users  were  running  Lollipop  5.0  or 
higher. 13 

B.  The  Difficulty  Of  Getting  Passcodes  From  Defendants 

Case  law  holds  almost  universally  that  a  defendant  cannot  be  compelled  (by,  eg,  a  grand  jury  subpoena 
or  order  of  the  court)  to  provide  the  government  with  her  or  his  passcode,  because  such  compulsion 
would  violate  the  defendant’s  Fifth  Amendment  right  against  self-incrimination. 14  There  are  two 
potential  exceptions  to  this  rule. 

First,  it  is  an  open  question  whether,  instead  of  being  compelled  to  provide  the  government  with  a 
passcode,  the  defendant  might  be  compelled  to  unlock  her  or  his  phone  using  the  passcode.  There 
have  been  no  cases  considering  this  precise  question,  and  although  a  court  might  conclude  that  it  is 
no  different  from  the  situation  in  which  a  defendant  is  compelled  to  provide  the  government  with  the 
passcode,  it  might  also  determine  that  the  situations  are  somewhat  different.1’ 

Second,  if  the  existence  of  evidence  on  the  phone  is  a  foregone  conclusion,  then  the  defendant  may 
have  no  Fifth  Amendment  privilege  with  respect  to  the  contents  of  the  phone,  and  thus  may  be 
compelled  to  provide  the  government  with  the  passcode.16  It  would  be  difficult  in  most 
circumstances,  however,  for  the  government  to  establish  with  the  requisite  degree  of  certainty  the 
existence  of  evidence  in  a  phone  that  would  clear  the  “foregone  conclusion”  hurdle.1. 

In  any  event,  even  if  the  government  could  lawfully  compel  a  defendant  to  disclose  her  or  his  passcode 
-  or  to  open  her  or  his  phone  using  the  passcode  -  there  is  a  substantial  likelihood  that  any  defendant 
who  faces  potentially  serious  criminal  charges  would  simply  refuse  to  comply  with  the  subpoena  or 
order,  and  go  into  contempt. 18 
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In  sum:  In  almost  all  cases,  it  will  be  legally  impossible  to  compel  a  defendant  to  provide  his  or  her 
passcode  or  to  use  the  passcode  to  open  her  or  his  phone.  In  those  few  cases  in  which  it  might  be 
legally  possible  to  compel  the  defendant  to  provide  the  information,  it  would  be  impossible  as  a 
practical  matter  to  compel  a  recalcitrant  defendant  facing  serious  charges  to  do  so. 

C.  Certain  Data  Exists  Only  On  Smartphones 

It  is  frequently  argued  that  we  live  in  a  “golden  age  of  surveillance,”  and  that  because  law  enforcement 
has  access  to  numerous  sources  of  information,  it  does  not  need  access  to  locked  devices.19  The 
argument  is  unconvincing,  because  much  important  data  may  be  found  only  on  smartphones. 

The  below  chart  summarizes  whether  law  enforcement  officials  can  obtain  particular  types  of  data 
from  a  device,  iCloud,  Google  cloud  storage,  or  the  phone  service  provider  pursuant  to  legal  process, 
if  the  data  is  not  encrypted  with  full-disk  encryption.  Green  boxes  in  the  chart  indicate  that  the  type 
of  data  listed  can  be  obtained  from  the  location  (if  not  encrypted  with  full-disk  encryption),  red  boxes 
indicate  when  the  type  of  data  listed  cannot  be  obtained  from  the  location  listed,  and  yellow  boxes 
indicate  that  certain  data  may  be  obtained  from  the  location,  with  caveats. 

The  chart  and  below  discussion  make  clear  that  many  types  of  important  data  are  available  only  on 
devices. 
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Comparison  of  Data  Sources 


Google 

Cloud 

Storage 


iMessage  content 


iMessage  detail  (dates,  times,  phone  numbers 
involved) 


SMS/MMS  content 


SMS/MMS  detail  (dates,  times,  phone  numbers 
involved) 


Phone  call  detail  (dates,  times,  phone  numbers 
involved,  duration) 


Historical  cell  site  data1 2 3 4 5 6 7 8 


Historical  other  cell  tower-related  data2 


Historical  Wi-Fi  network  data 


Historical  GPS  or  other  satellite  data2 


Contacts 


Photos /Videos 


Internet  Search  History 


Internet  Bookmarks 


Third-Party  App  Data 


Phone 

company 


(1)  Apple’s  website  states  that  it  can  provide  this  information 
(http://images.apple.com/privacy/docs/us  le  guidelines  final  20150916.pdf.  p.  8).  In 
response  to  search  warrants,  however,  Apple  has  not  provided  such  information  for  backups 
of  phones  running  iOS  8. 

(2)  The  information  would  be  available  to  law  enforcement  only  if  the  device  user  chose  to  back 
up  to  the  cloud  and  included  this  type  of  data.  See  discussion  immediately  following  chart. 

(3)  Most  carriers  do  not  retain  content.  Some  that  do,  retain  for  only  a  short  period  (eg.,  3-5 
days). 

(4)  This  data  can  be  obtained  by  law  enforcement  while  the  data  is  retained  by  the  phone  service 
provider.  There  is  no  requirement,  however,  that  wireless  carriers  maintain  this  type  of  data 
at  all  or  for  any  particular  length  of  time.  In  addition,  cell  site  data  is  not  retained  by  certain 
phone  carriers  for  text  messages.  Given  than  many  people  now  primarily  communicate 
through  text  messages,  this  limits  the  amount  of  location  information  investigators  can  learn 
through  cell  site  data. 

(5)  May  be  available  for  only  certain  devices. 

(6)  Forensic  analysts  are  able  to  extract  this  information  from  devices.  When  Apple  provides 
device  data  pursuant  to  an  unlock  order,  however,  they  do  not  include  this  data. 

(7)  May  be  available  from  Google  when  stored  in  its  servers.  This  type  of  data  does  not  appear 
to  be  stored  in  Google’s  cloud. 

(8)  Certain  types  (eg.,  GPS  EXIF  data)  may  be  available,  but  not  all  (eg,  Google  Maps  data). 
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Some  have  argued  that  so  long  as  cloud  accounts  are  amenable  to  lawful  searches,  there  is  no  need  to 
require  personal  devices  to  be  amenable  to  such  searches.21  The  chart  shows  the  weakness  of  that 
argument:  Even  under  the  best  of  circumstances,  the  cloud  does  not  have  all  of  the  information  that 
would  be  available  on  a  personal  device.  And,  there  are  several  further  reasons  the  cloud  is  a  poor 
substitute  for  personal  devices  as  a  source  of  information  important  to  law  enforcement. 

First,  even  if  a  person  backs  up  his  or  her  personal  device  to  the  cloud,  it  may  be  impossible  for  law 
enforcement  to  identify  which  cloud  service  the  person  has  used.  Many  companies  offer  cloud 
storage,  including  Apple,  Google,  Microsoft,  Dropbox,  Box,  and  others.  Even  after  the  police  seize 
a  smartphone  or  other  device  that  might  be  backed  up  to  the  cloud,  without  being  able  to  access  data 
in  the  device,  the  police  would  have  no  reasonable  way  that  would  work  in  all  cases  of  determining 
which  particular  cloud  service(s)  a  person  uses  for  storage.  Even  if,  through  the  issuance  of 
subpoenas,  the  police  learn  which  cloud  service(s)  the  person  uses,  by  the  time  the  police  learn  that 
information,  the  evidence  in  the  account(s)  may  have  been  destroyed  by  the  smartphone  owner  or 
one  of  his  accomplices. 

Second,  smartphone  users  are  not  required  to  set  up  a  cloud  account  or  back  up  to  the  cloud,  and 
therefore,  many  device  users  will  not  have  data  stored  in  the  cloud.  Even  minimally  sophisticated 
wrongdoers  who  use  their  devices  to  perpetrate  crimes  and  who  have  cloud  accounts  will  likely  take 
the  relatively  simple  steps  necessary  to  avoid  backing  up  those  devices,  or  data  of  interest,  to  the  cloud. 
In  most  instances,  only  one  or  two  selections  must  be  made  in  the  device’s  settings  to  turn  off  the 
back-up  function  or  to  remove  certain  types  of  content  from  the  back  up. 

Third,  even  if  a  user  chooses  to  back  up  all  of  his  or  her  data  to  the  cloud,  a  device  will  not  be  backed 
up  to  the  cloud  until  it  is  connected  to  Wi-Fi  or,  for  Android  phones,  a  cellular  connection.  So,  if 
evidence  is  stored  on  a  device  when  it  is  disconnected  from  Wi-Fi  or  cell  service,  and  the  device  is 
recovered  by  law  enforcement  officials  before  it  is  reconnected  to  such  service,  then  the  evidence 
would  exist  only  on  the  device  itself. 

Fourth,  although  it  may  be  possible  to  recover  at  least  some  deleted  data  from  an  Apple  device,  Apple 
states  that  once  data  has  been  deleted  from  an  iCloud  account,  Apple  cannot  provide  it  in  response 
to  a  search  warrant.24  Thus,  the  Apple  device  is  the  only  route  to  evidence  that  has  been  deleted  - 
which  may,  of  course,  be  among  the  most  probative  evidence.25 


IV.  The  Cost  Of  Evidence  Made  Inaccessible  Through  Apple’s  Encryption 

The  harm  caused  by  encryption  is  often  discussed  in  the  context  of  international  terrorism.  The 
greatest  cost  of  default  full-disk  encryption,  however,  is  likely  borne  by  local  law  enforcement  and  the 
victims  of  domestic  crime.  Smartphones  are  ubiquitous,  and  there  is  almost  no  kind  of  case  in  which 
prosecutors  have  not  used  evidence  from  smartphones.  Evidence  from  smartphones  has  been  used 
across  the  country  to  investigate  and  prosecute  homicides,  rapes,  assaults,  domestic  violence,  narcotics 
rings,  kidnappings,  larcenies,  frauds,  and  robberies.  It  is  the  rare  case  in  which  information  from  a 
smartphone  is  not  useful;  rather,  it  is  often  crucial. 

Between  September  17,  2014  and  October  1,  2015,  the  Manhattan  District  Attorney’s  Office  was 
unable  to  execute  approximately  111  search  warrants  for  smartphones  because  those  devices  were 
mnning  iOS  8.  The  cases  to  which  those  devices  related  include  homicide,  attempted  murder,  sexual 
abuse  of  a  child,  sex  trafficking,  assault,  and  robbery.  Because  information  stored  on  devices  is  so 
often  probative,  it  is  reasonable  to  believe  that  in  many  of  these  cases  the  data  that  is  out  of  the  reach 
of  law  enforcement  would  have  been  relevant  to  the  case  and  to  the  investigation  of  additional  crimes 
or  perpetrators. 

The  following  list  of  recent  cases  from  this  office  demonstrates  this  point.  It  includes  cases  in  which 
evidence  from  devices  that  were  able  to  be  searched  was  helpful  in  either  prosecuting  or  exonerating 
a  defendant. 

•  Homicide:  People  v.  Hayes,  Indictment  Number  4451/12:  The  victim  was  filming  a  video  using 
his  iPhone  when  he  was  shot  and  killed  by  the  defendant.  The  video  captured  the  shooting. 
Because  the  iPhone  was  not  passcode-locked,  the  video  was  recovered  and  admitted  into 
evidence  at  trial.  The  video  corroborated  eyewitness  testimony.  The  defendant  was  convicted 
of  murder  and  sentenced  to  35  years  to  life. 

•  Rape  and  Robbery  Conspiracy:  People  v.  Sandel,  Rivera,  and  Cray  Indictment  Number 
3158/15:  The  defendants  are  charged  with  committing  predatory  sexual  assault,  conspiring  to 
rape  and  rob  several  victims,  and  numerous  related  crimes.  During  some  of  the  rapes,  they 
used  mace  on  the  victims.  Significant  evidence  against  the  defendants  was  recovered  from 
phones  belonging  to  two  of  the  defendants.  Internet  browsing  history  relating  to  mace  was 
found  on  a  phone.  Text  messages  between  the  defendants  were  also  crucial.  For  example, 
Rivera  sent  a  text  message  to  Sandel  stating  in  substance,  “just  bring  that  pepper  spray  & 
taser,”  and  Rivera  sent  a  text  message  to  Sandel  stating  in  substance,  “Soon  we  will  terrorize 
NYC  again.”  On  the  highest  charge  alone,  each  defendant  is  facing  up  to  25  years  to  life. 

•  Child  Pornography:  People  v.  Hirji ,  Superior  Court  Information  Number  3650/15:  The 
defendant  was  arrested  after  he  began  speaking  with  a  cab  driver  about  his  interest  in  having 
sex  with  children  and  after  showing  the  driver  a  child  pornography  image.  An  iPhone  and  an 
Android  tablet  were  recovered  from  the  defendant.  Investigators  obtained  a  search  for  the 
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devices,  and  a  forensic  analyst  determined  the  passcode  for  both.  Upon  searching  the  iPhone, 
investigators  discovered  a  large  number  of  child  pornography  images.  The  defendant  was 
convicted  of  Promoting  a  Sexual  Performance  by  a  Child.26 

•  Sex  Trafficking:  People  v.  Brown,  Indictment  Numbers  865/12,  3908/12,  and  3338/13:  The 
defendant  directed  a  sex  trafficking  operation  involving  at  least  four  women,  using  physical 
violence,  threats  of  force,  and  psychological  manipulation  to  coerce  the  women  to  engage  in 
prostitution.  Evidence  recovered  from  electronic  devices  seized  from  the  defendant’s  home 
proved  cmcial  to  his  conviction  at  trial.  In  particular,  the  defendant’s  smartphones  contained 
photographs  showing  him  posing  his  victims  for  online  prostitution  advertisements,  and 
showing  that  he  had  “branded”  multiple  women,  with  his  nickname  tattooed  onto  their  bodies; 
text  messages  between  him  and  several  victims  confirmed  that  he  had  engaged  in  acts  of 
violence  against  the  testifying  witness  and  others.  The  defendant  was  convicted  of  multiple 
counts  of  sex  trafficking  and  promoting  prostitution  and  was  sentenced  to  10-20  years  in 
prison. 

•  Sex  Trafficking:  People  v.  Baosado,  Indictment  Number  5591/14:  The  defendant  ran  a  sex 
trafficking  operation  involving  multiple  women  and  underage  girls.  He  advertised  their 
prostitution  services  on  a  website  called  Backpage,  and  used  physical  force  to  keep  the  girls 
and  women  in  prostitution.  When  the  defendant  was  arrested,  he  was  in  a  car  with  a  pregnant 
16-year-old.  An  unlocked  Android  smartphone  was  recovered  from  him.  Pursuant  to  a  search 
warrant,  our  office  analyzed  the  contents  of  the  phone.  Significant  evidence  was  recovered, 
including  text  messages  between  the  defendant  and  male  customers  about  prostitution,  the 
defendant’s  web  browser  history,  which  showed  his  access  of  Backpage,  and  photographs  of 
the  prostitutes  that  the  defendant  had  posted  in  Backpage  ads.  This  evidence  was  admitted  at 
the  defendant’s  trial.  The  defendant  was  convicted  of  Sex  Trafficking  and  Promoting 
Prostitution,  and  sentenced  to  a  prison  term  of  seven  to  fourteen  years. 

•  Cybercrime  and  Identity  Theft:  People  v.  Jacas  et  al.  Indictment  Number  42/ 12,  and  People  v. 
Brahms  et  al.  Indictment  Number  5151/11:  This  case  involved  the  successful  prosecution  of  a 
29-member  identity  theft  ring.  An  iPhone  was  recovered  from  a  waiter  who  was  arrested  for 
stealing  more  than  20  customers’  credit  card  numbers  by  surreptitiously  swiping  those  credit 
cards  through  a  card  reader  that  stored  the  credit  card  number  and  other  data.  When  the 
phone  was  searched  pursuant  to  a  warrant,  law  enforcement  officials  discovered  text  messages 
between  the  waiter  and  other  members  of  the  group  regarding  the  ring’s  crimes.  Based  in  large 
part  on  information  obtained  from  the  phone,  investigators  were  able  to  obtain  an 
eavesdropping  warrant,  and  ultimately  arrested  29  people,  including  employees  of  high-end 
restaurants  who  stole  credit  card  numbers,  shoppers  who  made  purchases  using  counterfeit 
credit  cards  containing  the  stolen  credit  card  numbers,  and  managers  who  oversaw  the 
operation.  The  group  compromised  over  100  American  Express  credit  card  numbers  and  stole 
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property  worth  over  $1,000,000.  All  of  the  defendants  pled  guilty,  and  more  than  $1,000,000 
in  cash  and  merchandise  were  seized  and  forfeited. 

•  Unlawful  Surveillance:  People  v.  Rema,  Indictment  Number  4117/13:  The  defendant  was 
arrested  for  unlawful  surveillance  after  a  police  officer  observed  the  defendant  using  his  phone 
to  film  up  women’s  skirts,  which  is  known  as  “upskirting.”  The  defendant  consented  to  a 
search  of  his  phone,  but  the  passcode  he  provided  did  not  work.  Investigators  obtained  a 
search  warrant  and  unlock  order  for  the  phone.  The  phone  was  sent  to  Apple,  Apple  extracted 
data  from  the  phone,  and  the  phone  and  data  were  returned  to  the  prosecutor.  Two  upskirting 
videos  were  found  on  the  phone,  both  filmed  on  the  date  of  the  defendant’s  arrest.  Following 
the  trial,  at  which  both  videos  were  entered  into  evidence,  the  defendant  was  convicted  as 
charged,  of  two  counts  of  unlawful  surveillance.  Had  the  defendant  been  using  an  iOS  8, 
these  videos  would  not  have  been  recovered. 

•  Homicide  Exoneration:  People  v.  Rosario,  Indictment  Number  1859/ 10:  A  detective  obtained 
a  search  warrant  and  an  unlock  order  for  certain  iPhones  found  at  the  scene  of  a  homicide.  He 
sent  the  phones  to  Apple,  which  assisted  in  extracting  data  from  them.  The  phone  data 
demonstrated  inaccuracies  in  what  investigators  initially  thought  to  be  the  timeline  of  the 
events,  and  that  a  particular  suspect  was  not,  in  fact,  involved  in  the  murder.  A  phone  number 
stored  in  one  of  the  iPhones  was  eventually  linked  to  another  individual,  who  later  confessed 
and  pled  guilty  to  the  killing.  He  is  currently  serving  a  sentence  of  1 7  1/2  years’  imprisonment. 

There  are  many  other  cases  -  almost  too  many  to  count  -  that  could  have  been  selected,  but  they  all 
establish  a  single  point:  We  risk  losing  cmcial  evidence  in  serious  cases  if  the  contents  of  passcode- 
protected  smartphones  remain  immune  to  a  warrant. 

The  enormity  of  the  loss  is  fully  appreciated  by  wrongdoers  who  use  smartphones.  The  following 
telephone  call,  made  earlier  this  year,  from  a  prison  inmate  to  a  friend,  shows  that  the  inmate  hoped 
that  his  phone  had  the  new,  impregnable  Apple  operating  system.  (Phone  calls  made  by  inmates  are 
recorded  by  the  Department  of  Corrections,  and  inmates  are  repeatedly  advised  that  their  calls  are 
recorded.) 

Inmate:  I  need  you  to  open  up  your  iPhone  and  go  to  your  operating  system. 

If  it’s  on  operating  system  8,  a  i08,  they  can’t  get  into  my  phone. 

Because  when  we  switched  to  T-Mobile  they  gave  us  brand  new 
phones,  right? 

Friend:  Yeah. 

Inmate:  And  I  think  they  had  to  do  operating  systems...  what  month  we 

switched  to  T-Mobile? 

Friend:  Um _ February  I  think.  We  didn’t  even  have  these  phones  for  not 

even  long. 


ll 


Inmate: 


Good.  What  happen  is  in  September  17,  2014,  they  opened  up. . .  It’s 

all  in  the  papers. . .  The  DA  Cyrus  Vance  who’s  prosecuting  me  is 
beefing  with  Apple  because  they  put  these  phones  that  can’t  be 
[un]  encrypted.  If  our  phones  is  running  on  the  i08  software,  they 
can’t  open  my  phone.  That  might  be  another  gift  from  God.  We 

might  have  accidentally  gotten  the  new  phones  and. . . 

Friend:  Yeah...2 

This  defendant’s  case  is  hardly  unique:  His  concerns  and  hopes,  expressed  in  the  phone  call,  about 
the  protection  the  iOS  8  operating  system  would  afford  him  are  shared  by  criminals  in  every 
jurisdiction  in  America  charged  with  all  manner  of  crimes,  including  rape,  kidnapping,  robbery, 
promotion  of  child  pornography,  and  larceny.  As  recognized  by  this  defendant,  criminals  benefit 
significantly  from  iOS  8,  and  the  safety  of  all  American  communities  is  imperiled  by  it. 
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V. 


A  Proposed  Solution:  Make  Smartphones  Amenable  To  Search  Warrants 


There  is  no  provision  of  the  U.S.  Constitution,  or  of  any  state  constitution,  that  would  require 
producers  of  smartphones  and  operating  systems  to  make  smartphones  amenable  to  governmental 
searches.  A  federal  statute  could,  however,  compel  such  amenability.28  The  Commerce  Clause  gives 
the  federal  government  the  authority  to  “regulate  Commerce  .  .  .  among  the  several  States,”  and  “with 
foreign  Nations.”29  Because  smartphones  are  part  of  interstate  and  foreign  commerce,  a  federal  statute 
regulating  smartphones  would  comfortably  fall  within  the  power  of  Congress  to  regulate  activities 
“that  substantially  affect  interstate  commerce.”30 

Any  state  could  also  regulate  smartphones  sold  or  used  within  its  borders.  Each  of  the  62  District 
Attorneys  in  New  York  State  have,  indeed,  proposed  such  legislation.31  It  is  clear,  however,  that 
federal  legislation  is  preferable  to  state  legislation.  The  problem  under  consideration  here  requires  a 
nationwide  solution,  and  only  federal  legislation  can  provide  it. 

The  federal  legislation  would  provide  in  substance  that  any  smartphone  manufactured,  leased,  or  sold 
in  the  U.S.  must  be  able  to  be  unlocked,  or  its  data  accessed,  by  the  operating  system  designer. 
Compliance  with  such  a  statute  would  not  require  new  technology  or  costly  adjustments.  It  would 
require,  simply,  that  designers  and  makers  of  operating  systems  not  design  or  build  them  to  be 
impregnable  to  lawful  governmental  searches. 
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VI.  Responses  To  Potential  Objections 


A.  This  Is  A  Limited  Proposal  That  Addresses  Only  Data  At  Rest  On  Personal  Devices 

This  white  paper  addresses  only  questions  relating  to  law  enforcement’s  ability  to  access  data  at  rest 
on  personal  devices.  Many  of  the  reports  written  about  encryption  and  cyber-privacy  focus  on  law 
enforcement’s  ability  to  access  data  in  transit  and  the  security  improvements  gained  through 
encrypting  live  data  transfers  or  communications.3’  This  paper  takes  no  position  on  issues  relating  to 
the  encryption  of  data  in  transit. 

The  ability  to  decrypt  data  in  transit  presents  unique  risks  that  are  simply  not  presented  by  the  ability 
to  decrypt  data  at  rest.  Most  significantly,  the  ability  to  decrypt  data  in  transit  creates  the  possibility 
of  unlawful  eavesdropping  on  live  communications;  such  eavesdropping  is  not  at  issue  in  connection 
with  data  at  rest. 

B.  The  Loss  Of  Personal  Security  Would  Be  Minimal 

The  principal  argument  in  favor  of  making  devices  impregnable  to  the  government  is  that  any  effort 
that  would  allow  the  government  to  collect  evidence  lawfully  from  devices  would  necessarily  lessen 
the  devices’  security,  and  thus  increase  the  possibility  of  a  bad  actor  unlawfully  accessing  device  data. 

There  is  a  cost-benefit  analysis  to  be  considered:  The  loss  in  personal  security  that  would  be 
occasioned  by  the  proposed  statute  must  be  weighed  against  the  gain  in  societal  safety  that  it  would 
create. 

Some  experts  have  stated  that  there  is  no  practicable  way  to  quantify  the  loss  of  personal  security  that 
results  from  making  devices  amenable  to  government  search  warrants.  There  are,  however,  at  least 
four  reasons  to  believe  that  the  loss  of  security  would  not  be  significant  if  this  paper’s  proposal  was 
adopted. 

First,  rendering  devices  running  iOS  8  or  Lollipop  5.0  amenable  to  search  warrants  would  put  such 
devices  on  the  same  footing  as  those  that  mn  all  previous  version  of  iOS  and  Android  operating 
systems.  There  has  been  no  evidence  of  which  we  are  aware  of  security  breaches  that  have  affected 
the  latter  types  of  devices,  let  alone  any  breaches  attributable  to  the  feature  of  the  operating  systems 
that  rendered  them  amenable  to  search  warrants.  Apple  and  Google  have  never  explained  why  the 
prior  systems  lacked  security  or  were  vulnerable  to  hackers  and,  thus,  needed  to  be  changed.  It  is 
therefore  unclear  why  it  would  be  unsafe  for  Apple  and  Google  to  retain  the  ability  to  access  data  on 
devices  pursuant  to  search  warrants. 

Second,  this  office’s  investigation  to  date,  which  has  included  consultation  with  technologists  and 
forensic  experts,  has  indicated  that  even  were  a  person  to  learn  Apple’s  decryption  process  improperly, 
that  person  would  need  the  actual  device  he  wished  to  decrypt  to  use  that  process.  Apple’s  passcode- 
bypass  process  cannot  be  used  remotely  or,  in  other  words,  without  possession  of  the  targeted  device. 
The  ability  to  decrypt  does  not,  alone,  give  Apple  or  a  hacker  access  to  information  stored  on  a 
device.34 
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Third.  Apple  and  Google  are  able  to  provide  some  readable  data  stored  by  users  in  their  cloud 
accounts,  pursuant  to  a  search  warrant.  It  is  unclear  why,  if  Apple’s  and  Google’s  ability  to  decrypt 
data  stored  on  devices  presents  a  security  problem,  the  same  problem  is  not  caused  by  the  ability  of 
the  companies  to  access,  in  unencrypted  form,  data  stored  by  their  users  on  the  companies’  cloud 
servers. 

Fourth,  if  a  user’s  phone  were  to  be  stolen,  as  long  as  the  user  had  previously  enabled  the  Find  My 
iPhone  app35  or  a  specific  setting  in  Android  Device  Manager,36  he  or  she  could  remotely  lock  the 
phone  and  wipe  the  phone’s  data,  preventing  the  data  from  getting  into  the  thief  s  possession.  These 
options  can  effectively  prevent  thief-hackers  from  obtaining  a  phone’s  data.  ’7 

C.  Personal  Privacy  Is  Well  Protected  By  The  Fourth  Amendment 

For  the  above  reasons,  were  Apple  and  Google  once  again  to  give  themselves  the  ability  to  decrypt 
data  stored  on  their  devices,  there  would  not  be  a  significant  loss  of  security.  This,  in  combination 
with  the  safeguards  provided  by  the  Fourth  Amendment,  means  that  personal  privacy  would  be 
successfully  protected. 

The  Fourth  Amendment  dictates  that  search  warrants  may  be  issued  only  when  a  judge  finds  probable 
cause  to  believe  that  a  crime  has  been  committed  and  that  evidence  or  proceeds  of  the  crime  might 
be  found  on  the  device  to  be  searched.38  The  warrant  requirement  has  been  described  by  the  Supreme 
Court  as  “[tjhe  bulwark  of  Fourth  Amendment  protection,”39  and  there  is  no  reason  to  believe  that  it 
cannot  continue  to  serve  in  that  role,  whether  the  object  that  is  to  be  searched  is  an  iPhone  or  a  home. 

In  fact,  what  makes  full-disk  encryption  schemes  remarkable  is  that  they  provide  greater  protection  to 
one’s  phone  than  one  has  in  one’s  home,  which,  of  course,  has  always  been  afforded  the  highest  level 
of  privacy  protection  by  courts.  Apple  and  Google  should  not  be  able  to  alter  this  constitutional 
balance  unilaterally.  Every  home  can  be  entered  with  a  search  warrant.  The  same  should  be  true  of 
devices. 

D.  This  Is  Different  From  The  “Clipper  Chip” 

The  recent  encryption  debate  has  drawn  parallels  to  the  “Crypto  Wars”  of  the  1990s  when  the  Clinton 
Administration  proposed  requiring  that  telephone  and  electronic  communications  devices  be 
equipped  with  a  “Clipper  Chip,”  which  would  have  given  the  government  a  “key”  to  decrypt 
communications.4"  Despite  the  comparisons,  however,  this  paper  does  not  propose  using  any 
technology  similar  to  the  Clipper  Chip. 

The  Clipper  Chip  was  a  small  hardware  chip  that  would  encrypt  the  private  communications  of  two 
parties  and  provide  both  ends  with  a  cryptographic  key  to  decipher  the  message.  Any  device  with  a 
Clipper  Chip  also  would  be  assigned  an  additional  key  given  to  the  government  “in  escrow.”  If  a 
government  agency  obtained  a  court-ordered  wiretap  to  intercept  communications  made  using  a 
particular  device,  the  key  would  be  given  to  that  agency  so  that  all  data  transmitted  could  be 
decrypted.41 
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The  government  intended  for  the  chip  to  be  implanted  into  almost  all  telephone  and  electronic 
communications  devices  manufactured  in  the  U.S.  But  the  technology  was  abandoned  by  the 
government  after  research  showed  that  it  would  have  been  technologically  unworkable,  and  that  there 
was  a  flaw  in  the  technology  that  would  have  allowed  a  third  party  to  encode  communications  so  that 
even  the  government’s  key  could  not  unscramble  it.42 

This  paper  does  not  propose  any  new  technology,  nor  does  it  propose  that  governments  hold  a  key 
to  smartphones.  It  proposes  an  arrangement  that  worked  without  any  significant,  documented 
security  problems  before  iOS  8  and  Lollipop  5.0.  And,  the  only  keys  would  be  held  by  the  operating 
system  designers. 

E.  Other  Nations  Are  Exploring  Similar  Solutions 

Some  critics  have  suggested  that  the  U.S.  is  insufficiently  protective  of  privacy  and  technological 
innovation,  and  that  requiring  software  to  be  amenable  to  government  searches  will  somehow  put  the 
U.S.  out-of-step  with  the  rest  of  the  world.  Of  course,  being  out-of-step  with  the  rest  of  the  world, 
for  the  right  reasons,  would  not  be  a  bad  thing,  but,  in  any  event,  this  paper’s  proposal  is  not. 

Other  nations,  recognizing  the  dangers  posed  by  impregnable  encryption,  have  enacted  legislation,  or 
are  considering  legislation,  that  would  guarantee  government  access  under  appropriate  circumstances. 
Although  much  of  this  legislation  relates  to  data  in  transit  rather  than  data  at  rest,  it  evidences  these 
countries’  deep  concerns  regarding  undecryptable  data. 

United  Kingdom 

In  a  January  12,  2015  speech,  British  Prime  Minister  David  Cameron  said  that  governments  must  have 
all  necessary  tools  to  protect  their  citizens,  including  access  to  private  communications  under 
appropriate  circumstances:  “[T]he  question  is  are  we  going  to  allow  a  means  of  communications  which 
it  simply  isn’t  possible  to  read.  My  answer  to  that  question  is:  no,  we  must  not.  The  first  duty  of  any 
government  is  to  keep  our  country  safe.”43 

Prime  Minister  Cameron  pledged  to  propose  legislation  that  would  enable  his  government  to  access 
both  metadata  and  content  of  communications.  He  argued  that  this  surveillance — which  would 
require  approval  by  the  home  or  foreign  secretary — would  be  consistent  with  a  “modern,  liberal 
democracy.”44  He  explained  that  communications  data  is  “absolutely  crucial  not  just  to  fight  terrorism 
but  finding  missing  people,  murder  investigations.” 45  Of  course,  precisely  the  same  is  true  in  the  U.S. 

Prime  Minister  Cameron  reaffirmed  his  position  in  June  2015  and  said  that  his  government  will 
propose  legislation  in  the  fall  of  2015.  In  response  to  a  question  in  Parliament,  Cameron  said: 

We  have  always  been  able,  on  the  authority  of  the  home  secretary,  to  sign  a  warrant 
and  intercept  a  phone  call,  a  mobile  phone  call  or  other  media  communications,  but 
the  question  we  must  ask  ourselves  is  whether,  as  technology  develops,  we  are  content 
to  leave  a  safe  space — a  new  means  of  communication — for  terrorists  to  communicate 
with  each  other.  My  answer  is  no,  we  should  not  be,  which  means  that  we  must  look 
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at  all  the  new  media  being  produced  and  ensure  that,  in  every  case,  we  are  able,  in 
extremis  and  on  the  signature  of  a  warrant,  to  get  to  the  bottom  of  what  is  going  on.46 

As  of  the  publication  of  this  Report,  no  such  legislation  has  been  introduced. 

France 

In  February  2015,  French  Interior  Minister  Bernard  Cazeneuye  visited  U.S.  technology  companies  in 
Silicon  Valley,  including  Apple  and  Google,  and  urged  them  to  ease  encryption  policies  that  block 
government  access  to  terroristic  and  other  criminal  communications.4'  During  an  interview  before 
the  trip.  Minister  Cazeneuye  noted  that  encryption  was  a  central  issue.  “We  are  facing  a  new  threat. 
We  need  tech  companies  to  realize  that  they  have  an  important  role  to  play,”  he  said.48 

The  Netherlands 

In  July  2015,  the  Dutch  government  released  for  public  comment  a  proposed  bill  updating  the 
country’s  Intelligence  &  Security  Act  of  2002.  The  bill  would,  among  other  things,  authorize 
intelligence  agencies  to  compel  assistance  with  decryption  of  data,  including  communications.49 

*  *  * 

These  statements  and  pieces  of  proposed  legislation  are  not  all  the  same,  nor  are  they  identical  to  what 
is  proposed  here.  The  significance  of  each  of  them,  however,  is  that  they  evidence  the  recognition  by 
sophisticated  governments,  in  societies  that  value  individual  privacy  highly,  as  ours  does,  that  it  is  a 
government’s  principal  responsibility  to  keep  its  residents  safe,  and  that  a  government  cannot  fulfill 
that  responsibility  if  huge  amounts  of  vital  information  directly  related  to  public  safety  are  inaccessible 
to  the  government.  That  same  recognition  should  guide  the  U.S. 

F.  Lawful  Government  Access  To  Smartphone  Data  Comports  With  International 
Human  Rights  Law,  And  Would  Not  Harm  Human  Rights  Activists 

Some  have  suggested  that  making  smartphones  accessible  to  lawful  governmental  searches  would 
violate  international  human  rights  law  and  might  be  harmful  to  human  rights  activists.  50  Neither  point 
is  persuasive. 

The  U.N.  Human  Rights  Council  addressed  encryption  and  privacy  rights  in  two  recent  reports:  a  June 
30,  2014  report  entitled  “The  Right  to  Privacy  in  the  Digital  Age”  by  the  Office  of  the  United  Nations 
High  Commissioner  for  Human  Rights,  and  a  May  22,  2015  report  entitled  “The  Promotion  and 
Protection  of  the  Right  to  Freedom  of  Opinion  and  Expression”  by  the  U.N.  Human  Rights  Council 
Special  Rapporteur  Professor  David  Kaye.51  In  both  reports,  the  United  Nations  Human  Rights 
Council  stated  that  court-ordered  decryption  does  not  violate  international  human  rights  and  is 
permissible  if  the  government  intrusion  is  lawful,  narrow,  and  necessary.  Where  there  is  a  legitimate 
aim  —  such  as  the  prevention  of  terrorism  or  crime  —  and  where  appropriate  safeguards  are  in  place, 
“a  State  might  be  allowed  to  engage  in  quite  intrusive  surveillance.”52  In  his  report,  Professor  Kaye 
explained  that: 
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Court-ordered  decryption,  subject  to  domestic  and  international  law,  may  only  be 
permissible  when  it  results  from  transparent  and  publicly  accessible  laws  applied  solely 
on  a  targeted,  case-by-case  basis  to  individuals  (i.e.,  not  to  a  mass  of  people)  and 
subject  to  judicial  warrant  and  the  protection  of  due  process  rights  of  individuals.53 

Following  these  principles,  the  U.N.  Human  Rights  Council  enunciated  a  three-part  test  to  determine 
when  a  government  can  restrict  encryption: 

1)  The  government  restriction  must  be  provided  for  by  law.  That  law  must  be 
“sufficiently  accessible,  clear  and  precise  so  that  an  individual  may  look  to  the  law  and 
ascertain  who  is  authorized  to  conduct  data  surveillance  and  under  what 
circumstances.”54  The  law  also  must  provide  strong  procedural  and  judicial  safeguards 
in  order  protect  individuals’  due  process  rights.35 

2)  The  government  restriction  may  be  imposed  to  achieve  a  legitimate  objective,  i.e.,  to 
protect  specified  rights,  including  “rights  or  reputation  of  others;  national  security; 
public  order;  public  health  or  morals.”56 

3)  The  government  must  demonstrate  that  the  restriction  is  both  necessary  and 
proportionate  to  the  specific  risk  being  addressed.  5 

Our  proposal  plainly  satisfies  these  criteria.  First,  a  smartphone  would  be  searchable  only  pursuant  to 
a  judicially-issued  warrant  upon  a  showing  of  probable  cause.  The  legal  principles  pursuant  to  which 
such  warrants  are  issued  are  well-known  and  precise.  They  provide  for  “strong  procedural  and  judicial 
safeguards”  to  protect  individuals’  due  process  rights,  as  required  by  the  United  Nations.58 

Second,  the  United  Nations  states  that  limitations  on  individuals’  privacy  may  be  justified  to  protect 
national  security,  public  order,  and  public  health.’9  Law  enforcement’s  efforts  to  solve  crimes  fall 
within  the  definition  of  “public  order.” 

Third,  as  demonstrated  above,  obtaining  information  on  smartphones  has  been  crucial  in  solving  and 
prosecuting  a  variety  of  types  of  crimes,  including  very  serious  ones.6"  Requiring  technology 
companies  to  retain  the  ability  to  decrypt  data,  which  resulted  in  no  appreciable  harm  to  security  or 
public  safety,  is  a  proportionate  and  necessary  solution  to  the  problems  caused  by  default  full-disk 
encryption. 

One  of  the  arguments  consistently  raised  by  those  who  argue  in  favor  of  default  full-disk  encryption 
of  data  stored  on  devices  is  that  if  the  U.S.  government  were  to  have  the  right  to  access  a  smartphone’s 
contents,  then  all  governments  would  have  that  right.  And,  the  argument  continues,  if  a  repressive 
government  exercised  that  right,  dissidents  and  human  rights  advocates  in  the  repressive  country 
would  be  injured,  because  the  repressive  government  would  seek  access  to  smartphones  to  spy  on, 
prosecute,  and  otherwise  oppress  the  dissidents  and  human  rights  advocates.61 

This  argument  unravels  upon  close  inspection.  Apple  and  Google  could  keep  information  regarding 
their  decryption  processes  in  the  U.S.,  and  give  access  to  the  data  stored  on  phones  to  only  those 
countries  that  abide  by  certain  standards  of  human  rights  and  liberties.  Technology  companies  are 
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not  required  to  treat  requests  from  all  nations  equally.  Some  companies  choose  not  to  do  business  in 
foreign  countries  with  oppressive  governments,  or  to  do  only  limited  business  in  them.  If  Apple  and 
Google  were  to  cater  to  the  whims  of  repressive  countries,  it  would  be  because  they  chose  to  do  so, 
not  because  they  were  forced  to. 

The  technology  companies’  claims  that  if  the  U.S.  government  demands  access  to  information,  the 
government  will  “have  little  room  to  object”62  to  repressive  regimes’  demands  ignores  the  fact  that 
local  law  enforcement  in  the  U.S.  seeks  access  to  information  only  through  a  lawful  judicial  process. 
If  a  foreign  nation’s  government,  repressive  or  not,  wanted  information  from  an  American  company, 
it  also  would  have  to  go  through  lawful  processes  in  the  U.S.,  either  pursuant  to  a  Mutual  Legal 
Assistance  Treaty  (MLAT)63  or  a  letter  rogatory.64  If  the  foreign  government  used  the  MLAT  process, 
the  executive  branch  of  the  federal  government  would  decide  whether,  in  its  discretion,  the  foreign 
government’s  request  was  proper.  If  the  foreign  government  used  a  letter  rogatory,  a  federal  court 
would  make  that  determination. ta  In  either  case,  the  request  could  be  refused  if  the  information  was 
sought  for  use  in  a  proceeding  that  would  violate  human  rights.  “At  a  minimum,  the  Constitution 
requires  that  a  request  not  be  honored  if  the  sought-after  information  would  be  used  in  a  foreign 
judicial  proceeding  that  ‘departfs]  from  our  concepts  of  fundamental  due  process  and  fairness.’”66 
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VII.  Questions  For  Apple  And  Google 


Certain  information  regarding  Apple’s  and  Google’s  technology  and  their  responses  to  foreign 
government  requests  for  customer  information  is  known  only  to  Apple  and  Google.  The  Manhattan 
District  Attorney’s  Office  has  previously  sent  letters  to  Apple  and  Google  that  asked  some  of  the 
questions  necessary  to  a  fully-informed  debate  regarding  their  technology  and  its  implications  for 
criminal  cases,  privacy,  and  security.  Neither  company  has  responded.67  Immediately  below  are 
several  additional  questions  that  Apple  and  Google  should  answer  -  and  that  only  they  have  the 
information  to  answer  -  so  that  the  best  possible  balance  of  all  the  concerns  involved  can  be  reached. 

Question  1 


In  iOS  7  and  prior  operating  systems,  and  in  Android  systems  prior  to  Lollipop  5.0,  if  an  attacker 
learned  Apple  ’s  or  Google  ’s  decryption  process,  could  he  use  it  to  remotely  attack  devices  or  would  he 
need  possession  of  the  device? 

Why  This  Is  Important  To  Know:  If  the  risk  addressed  by  the  new  encryption  schemes  would 
require  knowledge  of  Apple’s  or  Google’s  decryption  process  and  possession  of  the  device  to  be 
hacked,  the  risk  would  appear  to  be  much  smaller  than  if  knowledge  of  the  decryption  process  alone 
could  allow  a  hacker  to  access  a  device  remotely. 

Question  2 

What  technical problem  does  the  full-disk  encryption  of  iOS  8  and  Lollipop  5.0  solve? 

a.  Quantify  the  problem  to  the  extent possible.  For  example,  if  the  largest  security  threat posed 
by  prior  systems  was  a  hacker  hacking  Apple’s  or  Google’s  systems  to  gain  access  to  the 
decryption  process,  what  are  the  chances  of  this?  Has  it  happened  before?  If  the  largest 
security  threat  posed  by  prior  systems  was  an  insider  improperly  sharing  Apple’s  or  Google’s 
decryption  process,  has  this  happened  before?  What  security  protocols  are  in  place  to  make 
sure  this  doesn’t  happen?  What  are  the  chances  of  them  being  breached? 

b.  Is  the  likelihood  of  a  successful  cloud  hack  decreased  by  the  new  encryption  scheme?  If  so, 
why  and  how  much? 

Why  This  Is  Important  To  Know:  In  order  to  determine  the  appropriate  balance  between  the  added 
security  of  the  new  encryption  schemes  and  the  harm  to  criminal  investigations  and  prosecutions,  it 
is  important  to  understand  the  scope  of  the  problems  on  each  side. 

Question  3 


If  there  are  significant  security  problems  posed  by  the  ability  of  Apple  and  Google  to  decrypt  data  on 
devices  with  earlier  operating  systems,  do  those  same  security  problems  exist  as  to  cloud  data  as  a  result 
of  Apple’s  and  Google’s  current  ability  to  provide  readable  data  stored  on  their  cloud  servers?  If  not, 
why  not? 
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Why  This  Is  Important  To  Know:  If  there  are  security  problems  of  importance  that  result  from  the 
ability  of  technology  companies  to  decrypt  data  on  their  devices,  it  is  difficult  to  understand  why  these 
concerns  would  not  exist  in  relation  to  their  ability  to  provide  readable  cloud  data.  If  the  same  security 
problems  exist  as  to  data  currently  stored  in  the  cloud,  why  aren’t  the  companies  providing  their 
customers  with  impregnable  encryption  for  their  cloud  data?  If  the  same  security  problems  exist  as  to 
cloud  data,  but  the  technology  companies  don’t  feel  it  necessary  to  impregnably  encrypt  that  data,  is 
it  not  fair  to  infer  that  the  scope  of  the  security  problems  solved  by  the  current  encryption  schemes  is 
limited? 

Question  4 


How  did  Apple  and  Google  respond  to  requests  for  customer  data,  including  content  and  non-content 

data,  from  foreign  governments  prior  to  iOS  8  and  Lollipop  5.0? 

a.  What  type  of  legal process  was  required for  Apple  or  Google  to  provide  content from  a  device 
to  another  country?  Does  it  depend  on  the  country?  If  so,  describe  the  difference  in  what  was 
required  from  different  countries  and  what  could  be  provided  to  different  countries. 

b.  In  the  transparency  report  for  the  second  half  of  2014,  Apple  indicates  that  it  provided  no 
content  to  China  from  accounts.  Was  any  requested?  If  so  and  none  was  provided,  how 
could  Apple  refuse  to  provide  content?  Was  any  content  from  devices  provided  (as  opposed 
to  iCloud  content  or  other  content  stored  on  Apple’s  servers)? 

c.  Has  Google  ever  refused  to  provide  content  upon  receiving  a  request  to  do  so  from  a  foreign 
government  when  it  was  technologically  possible  to  provide  that  content?  If  so,  how  could 
Google  make  such  a  refusal? 

d.  Do  Apple ’s  and  Google ’s purported  needs  to  respond  to  law  enforcement  requests  from  foreign 
government  result  in  any  way  from  their  choices  to  do  business  in  those  countries?  Do  Apple 
and  Google  respond  to  law  enforcement  requests  from  countries  in  which  it  does  not  do 
business?  If  so,  by  what  process? 

e.  How  do  Apple  and  Google  respond  to  foreign  government  requests  for  data  stored  on  their 
clouds?  What  type  of  legal  process  is  required?  Are  these  requests  ever  denied?  If  so,  on 
what  basis?  If  these  requests  are  made  by  oppressive  foreign  governments,  how  do  Apple  and 
Google  deal  with  that  problem? 

Why  This  Is  Important  To  Know:  Some  people  contend  that  if  Apple  and  Google  have  the  ability 
to  decrypt  content  stored  on  their  devices  pursuant  to  U.S.  legal  process,  then  they  will  also  be  required 
to  decrypt  content  pursuant  to  foreign  government  requests.  While  this  contention  is  unpersuasive, 
see  supra  Section  VI  (F),  it  would,  in  any  event,  be  informative  to  learn  how  Apple  and  Google 
previously  responded  to  foreign  government  requests  for  device  data  and  currently  respond  to  foreign 
government  requests  for  cloud  data. 
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Question  5 


In  this  office’s  experience  (and,  it  appears,  other  offices’  experiences)  with  Apple’s  responses  to  iCloud 
search  warrants  for  devices  running  iOS  8,  thus  far,  Apple  has  provided  either  no  iMessage,  SMS 
message,  and  MMS  message  content  or  has  provided  encrypted,  unreadable  message  content.  It  is 
unclear  why  Apple  is  not  providing  decrypted ,  readable  message  content  for  iCloud  accounts, 
particularly  given  that  its  law  enforcement  guidelines  state  that  this  content  can  be  turned  over  to  law 
enforcement  pursuant  to  a  search  warrant 

(http: II 'images.apple.com / ' privacy / docs / Us  le  guidelines  final  20150916.pdf  p.  8).  Why  isn’t 
Apple  providing  decrypted  iMessage,  SMS  message,  and  AIMS  message  content  from  iCloud  in 
response  to  search  warrants ? 

Why  This  Is  Important  To  Know:  iMessage,  SMS  message,  and  MMS  message  content  is  crucial  to 
criminal  investigations  and  prosecutions.  Since  there  are  no  readily  apparent  obstacles  to  Apple 
providing  decrypted  message  content  from  iCloud  accounts  in  response  to  a  search  warrant,  and  since 
Apple’s  law  enforcement  guidelines  say  that  Apple  can  provide  it,  it  should  explain  why  it  is  not  doing 
so. 


Question  6 


Can  Apple  and  Google  recover  data  deleted  from  iCloud  and  Google  cloud  storage  for  a  customer ? 

Under  what  circumstances ?  Can  Apple  and  Google  recover  data  deleted  from  iCloud  and  Google 
cloud  storage  for  law  enforcement  in  those  same  circumstances ?  If  not,  why  not ? 

Why  This  Is  Important  To  Know:  Deleted  data  can  be  some  of  the  most  probative  evidence  in  a 
criminal  investigation.  If  deleted  data  can  be  recovered  for  Apple’s  and  Google’s  cloud  customers  in 
certain  circumstances,  that  same  data  should  be  able  to  be  provided  by  the  companies  to  law 
enforcement  in  response  to  a  search  warrant. 
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VIII.  Conclusion 


Technology  benefits  us  in  ways  too  many  to  count  and  in  amounts  impossibly  large  to  calculate.  But 
it  can  also  be  used  to  harm  us,  and  unless  we  regulate  it  intelligently  and  carefully,  we  may  suffer  great 
harm.  Smartphones  are  technological  bank  vaults,  but  unlike  bank  vaults,  which,  no  matter  how 
strong,  are  accessible  to  search  warrants,  smartphones  are  becoming  beyond  the  reach  of  law 
enforcement.  The  result  will  be  crimes  that  go  unsolved,  harms  that  go  unanswered,  and  victims  who 
are  left  beyond  the  protection  of  the  law. 
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APPENDIX  I 


To:  Each  of  the  Members  of  the  Assembly  and  Senate  in  New  York  State 

From:  Each  of  the  62  District  Attorneys  in  New  York  State 
Date:  April  16,2015 

Re:  Our  urgent  need  for  legislation  requiring  companies  to  make  smartphones  amenable  to  lawful 

searches 


We,  the  62  District  Attorneys  of  New  York  State,  write  to  alert  you  to  an  urgent  problem,  and 
to  encourage  you  to  solve  the  problem  through  appropriate  legislation. 

The  Problem 

Digital  evidence  plays  a  cmcial  role  in  the  vast  majority  of  criminal  cases  across  our  state,  and, 
indeed,  across  the  nation.  Because  so  many  people  put  extensive  information  on  their  smartphones 
and  hand-held  devices,  those  devices  may  contain  photos,  texts,  voice  messages,  or  emails  that  will 
constitute  relevant  evidence  in  virtually  every  kind  of  case.  We  have  used  material  from  smartphones 
to  prosecute  murders,  rapes,  kidnappings,  fraud,  and  larceny,  among  other  crimes. 

For  law  enforcement  to  access  the  contents  of  a  smartphone  or  similar  device,  we  typically 
need  and  obtain  a  search  warrant.1  It  should  be  noted  that  a  search  warrant  cannot  be  issued  unless 
the  applicant  demonstrates,  to  a  judge,  that  there  is  both  probable  cause  to  believe  a  crime  has  been 
committed  and  probable  cause  to  believe  the  device  contains  evidence  of  that  crime.  If  a  smartphone 
is  protected  by  a  passcode,  however,  then  even  though  the  search  warrant  gives  us  the  legal  right  to 
access  the  contents  of  the  phone,  we  cannot  review  the  material  on  the  phone  because  we  cannot  get 
“through”  the  passcode. 

Elistorically,  in  such  instances  we  have  been  able  to  seek  the  aid  of  the  mobile  operating  system 
providers.  Upon  our  presentation  to  them  of  the  warrant,  they  have  been  able  to  unlock  the  phones, 
and  provide  the  information  on  the  phone  that  was  responsive  to  the  warrants. 

In  the  past  few  months,  however,  the  companies  have  deliberately  designed  software,  entire 
operating  systems,  and  mobile  devices  such  that  even  they  cannot  unlock  passcode-protected  phones. 
The  companies  have  touted  this  development,  explicitly  advertising  their  inability  to  comply  with 
lawful  government  requests.2  As  a  consequence,  the  search  warrant  becomes  a  nullity,  because  even 
law  enforcement  officers  possessing  valid  search  warrants  or  court  orders  cannot  access  the  contents 


1  See  Riley  v.  California, _ U.S. _ ,  134  S.  Ct.  2473  (2014). 

'  See,  e.g.,  Apple  web  site:  (“On  devices  running  iOS  8,  your  personal  data  such  as  photos,  messages  (including 

attachments),  email,  contacts,  call  history,  iTunes  content,  notes,  and  reminders  is  placed  under  the  protection  of  your 
passcode.  Unlike  our  competitors,  Apple  cannot  bypass  your  passcode  and  therefore  cannot  access  this  data.  So 
it's  not  technically  feasible  for  us  to  respond  to  government  warrants  for  the  extraction  of  this  data  from  devices 
in  their  possession  running  iOS  8.”)  (Emphasis  added),  (available  at  https:/ /www.apple. com /privacy/ government- 
information-requests  /)  (last  visited,  January  28,  2015).  Unfortunately,  Google  has  designed  its  latest  version  of  the 
Android  operating  system  so  that,  like  Apple’s  iOS  8,  it  is  beyond  the  reach  of  lawful  search  warrants.  See,  eg.,  Newest 
Androids  will  join  iPhones  in  offering  default  encryption,  blocking  police.  The  Washington  Post,  September  18,  2014  (available  at 
http:/  /  www. washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering- 

default-encryption-blocking-police/)  (last  visited  February  10,  2015). 


of  passcode-protected  smartphones.  In  other  words,  criminals  using  passcode-protected  devices  have 
been  granted  license  to  evade  a  lawful  order  of  a  court  and  are  thus  quite  literally,  protected  in  their 
criminal  endeavors. 

It  is  as  if  the  police  get  a  search  warrant  for  a  safe  deposit  box  at  a  bank  because  they  have 
reason  to  believe  that  the  safe  deposit  box  has  evidence  of  a  crime  —  but  they  cannot  open  the  box 
because  the  bank  has  thrown  away  its  own  key.  Indeed,  this  situation  is  even  worse  because  whereas 
a  safe  deposit  box  can,  ultimately,  be  opened  by  force,  a  passcode-protected  smartphone  is  virtually 
impregnable,  unless  the  companies  maintain  the  ability  to  open  the  phones  that  it  manufactures. 

Although  the  companies  tout  their  new  software  as  a  boon  for  their  users’  privacy,  users’ 
privacy  is  adequately  protected  by  the  Fourth  Amendment,  and  specifically  the  requirement  that  a 
judge  or  magistrate  -  that  is,  a  neutral  party  -  issue  a  search  warrant  only  upon  a  showing  of  probable 
cause  that  the  phone  will  contain  evidence  of  a  crime.3 

The  fact  is  that,  although  the  new  software  may  enhance  privacy  for  some  users,  it  severely 
hampers  law  enforcement’s  ability  to  aid  victims.  All  of  the  evidence  contained  in  smartphones  and 
similar  devices  will  be  lost  to  law  enforcement,  so  long  as  the  criminals  take  the  precaution  of 
protecting  their  devices  with  passcodes.  Of  course  they  will  do  so.  Simply  stated,  passcode-protected 
devices  render  lawful  court  orders  meaningless  and  encourage  criminals  to  act  with  impunity.  The 
ultimate  losers  in  this  equation  are  crime  victims. 

The  need  for  a  legislative  solution 

The  United  States  Attorney  General,  the  director  of  the  FBI,  and  others  have  severely 
criticized  the  companies’  efforts  to  keep  evidence  immune  from  lawful  process.4  Criticism,  however, 
is  not  enough.  The  companies  benefit  immeasurably  from  the  laws  protecting  intellectual  property, 
as  well  as  from  extensive  federal  regulation.  They  should  not  be  able  to  thumb  their  noses  at  law 
enforcement  when,  with  warrant  in  hand,  it  comes  to  seek  their  help.  The  safety  of  the  citizenry  calls 
for  a  legislative  solution,  and  a  solution  is  easily  at  hand. 

We  would  propose  that  the  New  York  State  Legislature  pass  the  following  bill,  to  penalize 
those  who  would  sell  smartphones  that  are  beyond  the  reach  of  law  enforcement.  If  enacted,  this  bill 
would  provide  a  significant  deterrent  to  such  sellers,  and  therefore  would  discourage  the  companies 
from  continuing  to  provide  such  smartphone  software. 


U.S.  Const.,  amend.  IV;  see  also,  eg,  United  States  v.  Karo,  468  U.S.  705,  717  (1984)  (“The  primary  reason  for  the 
warrant  requirement  is  to  interpose  a  ‘neutral  and  detached  magistrate’  between  the  citizen  and  ‘the  officer  engaged  in  the 
often  competitive  enterprise  of  ferreting  out  crime.’  Johnson  v.  United  States,  333  U.S.  10, 14  (1948).”). 

!  See,  eg.,  FBI  Director  Calls  On  Congress  To  'Fix'  Phone  Encryption  Bj  Apple,  Google,  Huffington  Post  October  16,  2014 

(available  at  http:/ /www.huffingtonpost.com/2014/10/16/james-comey-phone-encryption  n  5996808.html)  (last 
visited,  January  28,  2015);  US  top  cop  decries  encryption,  demands  backdoors,  Arstechnica,  October  1,  2014  (available  at 
http:/ / arstechnica.com/tech-policy/2014/10/us-top-cop-decries-encnrption-demands-backdoors /)  (last  visited,  January 
28,  2014). 


Proposed  Statutory  Language 


The  general  business  law  is  amended  by  adding  new  section  902  to  read  as  follows: 

§  902  Smartphones 

1.  For  the  purposes  of  this  section,  the  following  terms  have  the  following  meanings: 

(A)  A  “Smartphone”  means  a  cellular  radio  telephone  or  other  mobile  voice  communications 
handset  device  that  includes  the  following  features: 

(i)  Utilizes  a  mobile  operating  system. 

(ii)  Possesses  the  capability  to  utilize  mobile  software  applications,  access  and  browse  the 
Internet,  utilize  text  messaging,  utilize  digital  voice  service,  and  send  and  receive  email. 

(iii)  Has  wireless  network  connectivity. 

(iv)  Is  capable  of  operating  on  a  long-term  evolution  network  or  successor  wireless  data 
network  communication  standards. 

(B)  “Sold  in  New  York,”  or  any  variation  thereof,  means  that  the  smartphone  is  sold  at  retail  from 
a  location  within  the  state,  or  the  smartphone  is  sold  and  shipped  to  an  end-use  consumer  at 
an  address  within  the  state.  “Sold  in  New  York”  does  not  include  a  smartphone  that  is  resold 
in  the  state  on  the  secondhand  market  or  that  is  consigned  and  held  as  collateral  on  a  loan. 

(C)  “Leased  in  New  York,”  or  any  variation  thereof,  means  that  the  smartphone  is  contracted  for 
a  specified  period  of  time  to  an  end-use  consumer  at  an  address  within  the  state. 

2.  Any  smartphone  that  is  manufactured  on  or  after  XX,  and  sold  or  leased  in  New  York,  shall  be 
capable  of  being  decrypted  and  unlocked  by  its  manufacturer  or  its  operating  system  provider. 

3.  The  sale  or  lease  in  New  York  of  a  smartphone  manufactured  on  or  after  XX  that  is  not  capable 
of  being  decrypted  and  unlocked  by  its  manufacturer  or  its  operating  system  provider  shall  subject 
the  seller  or  lessor  to  a  civil  penalty  of  $2,500  for  each  smartphone  sold  or  leased  if  it  is 
demonstrated  that  the  seller  or  lessor  of  the  smartphone  knew  at  the  time  of  the  sale  or  lease  that 
the  smartphone  was  not  capable  of  being  decrypted  and  unlocked  by  its  manufacturer  or  its 
operating  system  provider.  No  seller  or  lessor  who  pays  the  civil  penalty  may  pass  any  portion  of 
that  penalty  on  to  any  purchaser  of  smartphones  by  raising  the  sales  or  lease  price  of  smartphones. 

4.  The  retail  sale  or  lease  of  a  smartphone  manufactured  on  or  after  XX  that  is  not  capable  of  being 
decrypted  and  unlocked  by  its  manufacturer  or  its  operating  system  provider  shall  not  result  in 
liability  to  the  seller  or  lessor  if  the  inability  of  the  manufacturer  and  operating  system  provider  to 
decrypt  and  unlock  the  smartphone  is  the  result  of  actions  taken  by  any  person  or  entity  other 
than  the  manufacturer,  the  operating  system  provider,  the  seller,  or  the  lessor  so  long  as  such 
actions  were  unauthorized  by  the  manufacturer,  the  operating  system  provider,  the  seller,  or  the 
lessor  unless  at  the  time  of  sale  or  lease  the  seller  or  lessor  had  received  notification  that  the 
manufacturer  and  operating  system  provider  were  unable  to  decrypt  and  unlock  smartphones  that 
had  been  acted  upon  in  the  manner  described  above. 

5.  A  civil  suit  to  enforce  this  section  may  be  brought  by  the  following  parties  and  none  others:  (a) 
the  Attorney  General,  for  any  sale  or  lease  of  a  smartphone  in  New  York,  and  (b)  the  district 


attorney  for  any  sale  or  lease  of  a  smartphone  in  the  county  represented  by  the  district  attorney, 
provided  however  that  the  seller  or  lessor  may  be  subject  to  not  more  than  a  single  penalty  for  each 
sale  or  lease  of  a  smartphone. 


Conclusion 

New  York  can  and  should  lead  the  nation  in  protecting  its  citizens,  and  in  responding  to  the 
misguided  and  dangerous  attempts  by  digital  device  manufacturers  to  turn  digital  devices  into  virtual 
safes  that,  being  beyond  the  reach  of  law  enforcement,  are  havens  for  criminals.  Revelations  in  the 
recent  past  about  NSA  surveillance  and  similar  government  intmsions  on  privacy  have  made  people 
acutely  aware  of  threats  to  their  privacy.  We  are  not  proposing  that  peoples’  privacy  be  limited. 
Peoples’  privacy  is  protected  by  the  warrant  requirement,  as  it  always  has  been.  This  bill  would  help 
to  protect  New  Yorkers.  We  urge  that  you  support  it. 


APPENDIX  II 


CYRUS  R.  VANCE,  JR. 
District  Attorney 


DISTRICT  ATTORNEY 

COUNTY  OF  NEW  YORK 
ONE  HOGAN  PLACE 
New  York,  N.Y.  10013 
(212)  335-9000 


March  31,  2015 

Jane  Horvath,  Senior  Director  of  Global  Privacy 
Apple  Headquarters 
1  Infinite  Loop 
Cupertino,  CA  95014 

Re:  Follow-up  from  our  meeting  of  March  19. 2015 

Dear  Jane, 

Thank  you  for  the  time  you  spent  on  March  19th  with  me  and  my  colleagues,  as  well  as 
representatives  from  the  Secret  Service  and  the  National  Computer  Forensics  Institute, 
discussing  smartphone  encryption  and  its  impact  on  law  enforcement.  We  found  the  discussion 
helpful. 

For  us  better  to  understand  some  of  the  concerns  that  you  expressed  at  our  meeting,  we  have 
some  additional  questions  which  we  hope  that  you  can  answer  the  following  questions: 

1 .  There  was  much  discussion  at  our  meeting  about  mobile  phone  data  being  “backed  up”  in 
the  Cloud,  Therefore,  could  you  please  advise  us: 

a.  What  percentage  of  Apple  mobile  device  users  have  associated  iOS  backups 
stored  on  Apple’s  iCloud  servers? 

b.  What  percentage  of  current  Apple  mobile  device  users  have  the  iCloud  backup 
option  turned  on? 

c.  What  percentage  of  current  Apple  mobile  device  users  have  utilized  iCloud 
backup  to  produce  at  least  one  backup  stored  with  Apple? 

d.  What  is  the  retention  period  of  an  iCloud  backup  if  the  user  decides  to  turn  off 
iCloud  backup? 

e.  Are  the  iOS8  backups  stored  on  the  iCloud  encrypted? 


2.  As  we  explained,  our  view  is  that  the  judicially-issued  search  warrant  is  the  bulwark  for 
the  protection  of  people’s  privacy,  I  understood  that  Apple  believes  that  if  Apple  kept  a 
“key”  so  that  it  was  able  to  open  locked  iPhones,  some  foreign  authorities  might  compel 
Apple  to  open  iPhones  and  thus  use  them  against  their  own  citizens.  That  leads  to  the 
following  questions: 

a.  Is  it  accurate  that,  after  the  iOS8  upgrade,  Apple  no  longer  maintains  the  ability  to 
unlock  iPhones  running  on  iOS8  anywhere  in  the  world  market?  For  example, 
does  Apple  no  longer  maintain  the  ability  to  unlock  iPhones  running  iOS8  that  it 
sells  in  China,  India,  or  other  world  markets  outside  of  the  United  States?  Even  if 
Apple  does  not  maintain  the  ability  to  unlock  devices  running  on  iOS8,  does 
Apple  provide  any  foreign  agency  or  entity  the  right  or  ability  to  unlock  iOS8 
devices? 

b.  In  the  past  five  (5)  years,  how  many  demands  have  there  been  from  foreign 
jurisdictions  to  unlock  iPhones,  and  has  phone  content  been  provided  to  those 
jurisdictions  in  response? 

c.  For  the  instances  identified  in  2(b)  above,  were  those  demands  from  foreign 
jurisdictions  made  directly  to  Apple,  or  through  letters  rogatory,  or  in  some  other 
fashion? 

3 .  If  Apple  kept  a  “key”  so  that  it  was  able  to  unlock  iPhones,  would  the  iPhones  be  more 
vulnerable  to  hackers  than  if  Apple  had  no  such  “key”?  Is  there  any  “key”  or  similar 
device  that  Apple  might  keep  without  sacrificing  the  security  of  iPhones  from  hackers? 

Is  there  a  way  to  measure  or  quantify  the  vulnerability  to  hackers  of  iPhones  (a)  if  Apple 
kept  a  key,  as  compared  to  (b)  if  it  did  not  keep  a  key? 

We  appreciate  your  time,  andXve  look  forward  to  further  conversations.  Thank  you  also  for 
being  gracious  hosts;  it  wasderrific  to  be  on  the  Apple  campus  and  see  a  true  state  of  the  art 
workplace.  / 


DISTRICT  ATTORNEY 

COUNTY  OF  NEW  YORK 
ONE  HOGAN  PLACE 
New  York,  N.Y.  10013 
(212)  335-9000 


CYRUS  R.  VANCE,  JR, 
District  Attorney 


April  1,  2015 

Kent  Walker,  Senior  Vice  President  and  General  Counsel 
Google  Inc. 

1600  Amphitheatre  Parkway 
Mountain  View,  CA  94043 

Re:  Follow-up  from  our  meeting  of  March  19. 2015 

Dear  Kent, 

Thank  you  for  the  time  you  spent  on  March  19th  with  me  and  my  colleagues,  as  well  as 
representatives  from  the  Secret  Service  and  the  National  Computer  Forensics  Institute,  discussing 
smartphone  encryption  and  its  impact  on  law  enforcement.  We  found  the  discussion  helpful. 

I  was  pleased  and  grateful  to  leam  that  Google  intends  to  install  a  law  enforcement  portal  to  make 
interactions  between  law  enforcement  and  Google,  and  responses  to  grand  jury  subpoenas  and 
search  warrants,  as  efficient  and  timely  as  possible. 

It  is  my  understanding  that  Google  will  continue  its  encryption  initiative  and  that  you  expect  more 
original  equipment  manufacturers  to  create  more  devices  that  support  encryption  over  the  next  few 
months.  As  we  made  very  clear,  while  we  understand  your  position  we  feel  that  encryption  that 
cannot  be  reached  even  by  lawful  process  poses  a  significant  problem  for  law  enforcement,  and  a 
public  safety  threat. 

To  better  understand  some  of  the  encryption-related  matters  that  we  discussed  during  our  meeting, 
we  have  some  questions  that  we  hope  you  can  answer: 

1 .  In  response  to  our  concern  about  our  inability  to  extract  data  from  cellular  phones  with  full 
device  encryption,  it  was  suggested  to  us  that  an  alternative  means  to  obtain  some  of  the 
data  from  the  device  would  be  to  obtain  date  “backed  up”  to  the  cloud.  Therefore,  could 
you  please  advise  us: 

a.  What  percentage  of  Android  mobile  device  users  have  associated  backups  stored 
on  servers? 

b.  What  percentage  of  current  Android  mobile  device  users  have  the  backup  option 
turned  on? 


c.  What  percentage  of  current  Android  mobile  device  users  have  utilized  cloud  backup 
to  produce  at  least  one  stored  backup? 

d.  What  is  the  retention  period  of  a  cloud  backup  if  the  user  decides  to  turn  off  the 
backup? 

e.  Are  the  backups  stored  on  the  cloud  currently  encrypted?  If  it  is  not  currently 
encrypted,  are  their  plans  to  encrypt  the  cloud  content  and  what  is  the  timeline  for 
such  implementation? 

2.  If  Google  kept  a  “key”  so  that  it  was  able  to  unlock  phones,  would  the  phones  be  more 
vulnerable  to  hackers  than  if  Google  had  no  such  key?  Is  there  any  key  or  similar  device 
that  Google  might  keep  without  sacrificing  the  security  of  Android  devices  from  hackers? 
Is  there  a  way  to  measure  or  quantify  the  vulnerability  to  hackers  of  Android  phones  (a)  if 
Google  kept  a  key,  as  compared  to  (b)  if  it  did  not  keep  a  key? 


You  expressed  frustration  at  the  fact  that  your  employees  are  required  to  appear  before  the  grand 
jury  to  authenticate  Google’s  business  records.  I  share  your  frustration,  and  have  drafted  proposed 
legislation  that  would  allow  business  records  to  be  authenticated  by  affidavit.  A  copy  of  our 
proposed  legislation  is  enclosed  herewith.  Google  supported  an  earlier,  almost  identical,  version 
of  this  proposed  legislation,  and  I  presume  that  Google  would  support  this  as  well. 


